EyePyramid Spy Effort Targets Celebs, Politicians

So far, the Italian police have published a preliminary report of the investigation. The Occhionero siblings also have been arrested and implicated as masterminds of a cyber-espionage operation that targeted a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, president of the European Central Bank.

The report shows that 18,327 unique usernames along with 1,793 passwords have been stolen, totaling roughly 87 GB of data. According to an IBM analysis, during the last few years the attackers had targeted around 16,000 victims, all in Italy, and most of them being law firms, consultancy services, universities and even Vatican cardinals.

The EyePyramid malware has keylogging capabilities and is able to exfiltrate stolen information to various command and control (C&C) servers. But it also affects the security posture of its targets: After the malware removes and modifies different security settings, users are left unprotected from a slew of potential attacks and vulnerabilities.

“This malware usually arrives as an attachment of a spear phishing email,” explained security firm Cylance, in a blog post. “The sender of this email typically uses compromised email accounts to make it appear that the email comes from a trusted source. The malware itself contains a list of targeted domains…To date, published analysis has uncovered over 100 domains associated with EyePyramid.”

Another hallmark of this malware is the persistence mechanism. Once the user opens and runs the malware attachment, it drops a copy of itself into the Temp folder and creates registry entries to allow it to run on every system startup.

Once the malware has compromised the host system, it seeks to gain elevated privileges to perform administrative tasks—setting the malware up for lateral movement within the network environment.

The malware will also try to create a local admin user and add the user to domain administrator group in Active Directory. This will allow the malware to perform system changes and other functions with administrative privileges. It will also allow itself to connect to remote systems, possibly with full administrator access token.

“You can just imagine the gigabytes of data that it was able to steal over the years,” Cylance said. “However, this is not the only damage it causes, because the aftermath of the attack leaves its targets susceptible to a slew of further potential attacks and vulnerabilities, even after this malware is removed. The numerous security settings disabled by the malware appear to be an effort to ensure ease of access in the future. However, those disabled settings make it easier for any attacker to gain access, not just the author of EyePyramid. All of these modifications open a huge gap in the user’s security posture, leaving them vulnerable to future malware attacks.”

Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back as 2008.

While the malware campaign has been characterized as unsophisticated, Talos took a look at how how EyePyramid managed to stay hidden under the radar for years. It found evidence of the use of domain generation algorithms, anti-VM and anti-debug, and how it is subverting the operation system by disabling all security policies.

“Although it is true the authors made some trivial mistakes, throughout this post we have observed efforts to cover the vital information of this operation and an agent able to subvert the entire operating system security,” said Talos researchers Mariano Graziano and Paul Rascagneres, in a technical analysis. “Additionally, this sample is not stealthy for all the operations it performs but it has been undetected for years and is reported to have exfiltrated vast amounts of data.”

94% of CISOs Worry About App Compromise

A new study of one hundred CISOs has revealed that 94% are concerned about breaches in their publicly facing assets in the next 12 months, particularly within their applications.

The study, from Bugcrowd, highlights a key challenge facing organizations: As more applications become publicly accessible, more breaches are occurring at the application level. However, IT organizations are strapped when it comes to security: 71% of respondents face resourcing or budgeting issues within their organizations.

There are a number of reasons that organizations are finding themselves at a disadvantage: The cybersecurity job gap is at an all-time high; attack surfaces are complex and large as ever; and traditional application security testing methods just aren’t cutting it.

CISOs for now are using, on average, 4.8 application security tools and services. According to the study, outside of crowdsourced programs the top three include penetration testing (80%), incident response processes (79%) and application vulnerability scanning (71%). Others include threat modeling (50%), secure code review (54%) and app security training (54%).

"Security methodologies within today’s IT departments aren’t cutting it,” said Jason Haddix, head of Trust and Security, Bugcrowd. "Along with budgeting challenges, modern application security teams will continue to face security issues as long as investment areas continue to diversify. Reducing the risks associated with breaches begins with improving security culture throughout the organization, and finding a solution that scales within AppSec budgeting constraints. Unless you are a unicorn, you can’t staff and retain the headcount needed for a proper security program. DAST and SAST solutions only get you part way. It’s time for a real force multiplier in security.”

300Bn Passwords in 2020 = $6 Trillion in Damages

Account compromise continues to grow as top infosecurity issue: The total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020.

That’s according to a report from Thycotic and Cybersecurity Ventures on password security, which found that the amount of cybercrime damages stemming from this could reach up to $6 trillion by 2021.

While there is clearly a margin of error for the forward predictions based on several variables—most notably the number of Internet of Things (IoT) devices—Cybersecurity Ventures and Thycotic believe that the password attack surface will inevitably grow by an order of magnitude over the next four years.

“Any IoT device that has an interface will have a password protecting the interface that allows it to be configured,” said Joseph Carson, a Thycotic cybersecurity expert. “Plus, any Bluetooth-capable device like wearables will use a PIN for a passcode.”

Based on a very conservative estimate of one password per machine, the report estimates 200 billion machine passwords will need to be secured by 2020. The other 100 billion in the forecast are attributable to more traditional human-run accounts.

In 2016 alone, more than 3 billion user credentials and passwords were stolen, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. Much of this stems from security fatigue—a phenomenon that includes users being tired of remembering user names, passwords and PIN numbers; frustration in navigating multiple security measures; and account lockouts due to incorrectly entered passwords. The study also found that users believe safeguarding data is someone else’s responsibility, and users questioned how they could effectively protect their data when large organizations frequently fall victim to cyber-attacks.

“It is a very scary truth that everyone, especially those running businesses, should be aware of,” said Carson. “Our passwords are not safe, which is concerning as they are literally the key to some of the most important information that businesses hold.”

He added that privileged account passwords especially are prime targets for hackers, for good reasons.

“One privileged account password breach can allow a hacker to access and steal the credentials and passwords belonging to every employee in a company,” Carson explained.

As an example of the type of opportunities for passwords being compromised, the report shows that companies on the Fortune 500 list in 2015, employed a combined 27 million people—a number which has since grown. Thycotic experts estimate that these employees in 2020 will have an average of 90 accounts (combination of business and personal) requiring login IDs and passwords. That would put the total number of passwords belonging to Fortune 500 employees at 5.4 billion in 2020.

While employees have their own login credentials—there’s a proportionately small number of privileged users (typically IT and system administrators) who each have access to hundreds, and sometimes thousands, of login IDs and passwords. Approximately five percent of Fortune 500 employees are privileged users, putting the number of people with privileged account access at 1.35 million.

“As the total universe of passwords will likely grow to 300 billion by 2020, organizations across the world face an enormously growing cybersecurity risk from hacked or compromised user and privileged accounts,” said Steve Morgan, editor-in-chief, Cybersecurity Ventures. “We felt it was extremely important to team up with an industry leader, such as Thycotic, to bring awareness to the tremendous vulnerability everyone is at risk for as the number of passwords continues to grow. This report will help to assist cyber defenders and educate the broader global community through a statistical analysis of the massive password expansion and associated challenges that lie ahead of us in the years to come.”

Trump Set to Sign Cyber EO as Election Hack Fallout Continues

Donal Trump is expected to sign an executive order on cybersecurity today, as reports in Russia link the recent arrests of cyber experts to the Kremlin’s alleged hacking of the US election.

The presidential order is set to call for several reviews of the government’s cybersecurity posture and offensive capabilities, a source told Reuters.

Trump campaigned on a promise to improve the nation’s cybersecurity, frequently decrying his opponent’s use of personal email for state business when she was secretary of state.

However, his election has been overshadowed by suggestions, now supported by his intelligence agencies, that he was helped to victory by Kremlin hackers – both via their spreading of false news and their theft and subsequent dissemination of damaging private Democrat emails.

Even Trump has now admitted that “as far as hacking I think it was Russia” – although he refuses to believe this had an impact on the election outcome.

The tale has now taken another turn with the arrest on charges of treason of three cybersecurity experts: Kaspersky Lab’s Ruslan Stoyanov, a former FSB intelligence officer; Sergei Mikhailov, a current FSB officer; and hacker Dmitry Dokuchayev.

Some reports have suggested that the arrests are linked to the explosive dossier produced by former British intelligence man Christopher Steele, which alleges the Russians have compromising material on Trump that makes him vulnerable to blackmail.

There are rumors that the murder of former KGB general Oleg Erovinkin was also linked, as he was the aide to one of Putin’s closest allies and a possible source for Steele’s report.

It’s possible that the news of the arrests, especially the Kaspersky Lab researcher, was “too big not to leak” – even in a country where the authorities have near total control over the media, according toQuartz.

ICO Set to Fine 11 Charities

The UK’s privacy watchdog is set to fine 11 charities for breaching the Data Protection Act, it revealed on Monday.

The Information Commissioner’s Office (ICO) said it will give the unnamed charities 28 days to respond to its findings before making a final decision on what kind of enforcement to take.

An ICO spokeswoman told Infosecurity that the 11 charities slated for financial penalties are in addition to the Royal Society for the Protection of Cruelty to Animals (RSPCA) and British Heart Foundation (BHF), which both had fines levied against them in December 2016.

“They were all – including the RSPCA and BHF – investigated following media reports about repeated and significant pressure on supporters to donate,” she explained.

Those two are said to have secretly screened millions of their donors to target them for money; used personal info pieced together from other sources to target new and lapsed members and traded personal details with other charities, according to the ICO.

The RSPCA was fined £25,000 and the BHF £18,000, although commissioner Elizabeth Denham claimed the figure could have been 10 times higher had she not exercised considerable discretion in the cases.

“The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money,” she said at the time.

“Our investigations suggest that the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.”

The watchdog is typically combining its enforcement action with education and outreach, in the form of the Fundraising and Regulatory Compliance Conference, to be held in Manchester on 21 February.

It’s set to help charities and their boards better understand the regulatory requirements and expectations of the Data Protection Act and the forthcoming GDPR.

New Netgear Router Worries After Trustwave Warning

Security researchers are warning of a new vulnerability potentially affecting over one million Netgear customers, which could give hackers complete control over their home routers.

Trustwave security researcher, Simon Kenin, explained that he came across CVE-2017-5521 after trying to remotely circumvent authentication on his own home router when it froze and needed rebooting.

The flaw could be used by a remote attacker if remote administration is set to be internet facing – which it isn’t by default – or one with physical access such as to a local public Wi-Fi hotspot, he claimed.

It effectively allows black hats to circumvent authentication, giving them complete control over a targeted router, to reconfigure it or reflash the firmware.

“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” Kenin continued.

“With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network.”

Trustwave has already found more than 10,000 devices remotely accessible via this bug, but estimates the real number of affected units to be in the hundreds of thousands, “if not over a million.”

A Netgear Knowledge Base article details how users can test to see if they’re vulnerable, and then install new firmware to patch the bug.

The vendor was contacted about the flaw by Trustwave back in April 2016, but since then more and more models have been found to be affected including the Lenovo R3220 router.

Netgear has since partnered with security testing organization Bugcrowd to improve the way it deals with disclosures.

“We fully expect this move will not only smooth the relationship between third-party researchers and Netgear, but, in the end, will result in a more secure line of products and services,” said Kenin.

US Marketer Exposes 400,000 Customers in Privacy Snafu

Security vendor MacKeeper claimed the files were left publicly available, leading to one of its biggest discoveries to date, and include customer details such as names, addresses, phone numbers, credit card numbers and CV2 numbers.

The firm is still working its way through the huge trove of data, but said that it has discovered 17,649 audio recordings with credit card numbers and private customer files and 375,368 audio recordings of “cold calls,” which also include some personal customer information.

The revelations are doubly damaging for the company in question, Vici Marketing. That’s because back in 2009 it apparently agreed to pay $350,000 to settle a complaint by the Florida Attorney General's Office that got hold of stolen consumer information but didn’t take the correct steps to ensure it was acquired legitimately.

MacKeeper claimed that, as well as the privacy snafu which exposed sensitive customer data, Vici Marketing may also be breaking state laws because many of the cold call recordings do not warn customers that the calls are being recorded and subsequently stored.

“Improper data storage or misconfigured databases can happen to companies big and small, but for a company who has already paid a hefty price and has been the subject of regulatory violations it seems like they would take cybersecurity more seriously,” argued MacKeeper in a blog post.

“Under the terms of the 2009 settlement Vici is permanently prohibited from acquiring or using data without due diligence, using data of unlawful or questionable origin, accessing and using data for consumer telemarketing without background due diligence, and unlawful telemarketing.”

Researchers said it will take them several weeks to verify all the audio data they have, and promised to securely delete the publicly available data once the case is closed.

White Hat Ball Raises £198,000 for Childline

A record-breaking £198,000 was raised for Childline at the annual White Hat Ball last Friday, 27 January, eclipsing the £160,000 raised at the event last year.

Held at the lavish Lancaster London Hotel the Ball, now a major occasion in the information risk and security industry, is in its 12th year and has generated more than £1.2 million for the NSPCC’s Childline service thus far.

The night, hosted by broadcaster and journalist Fiona Phillips, was attended by 630 industry guests, as well as guest of honor Childline founder Dame Esther Rantzen and, of course, the Infosecurity team – all of whom had a fantastic time at an evening packed with various fundraisers including a silent auction, raffle, pledge and live auction conducted by the charismatic Chairman of this year's White Hat Ball committee Clive Room.

"Yet again the White Hat Ball has raised an amazing amount of money for a cause we are deeply passionate about,” Room said. “Thanks to all of those involved in making it happen, our sponsors and those who attended, donated and gave so generously.

“I’m extremely proud to be part of an industry which has made such a difference to so many young lives over the past 12 years.”

With more and more young people turning to Childline for help about issues they are encountering online the support given to the charity by the infosecurity industry has never been more relevant. Last year there were 11,253 Childline counselling sessions carried out with children and young people about online issues such as sexual abuse, bullying and safety.

Childline president, Dame Esther Rantzen, added: “I'd like to say a huge thank you to Clive, the White Hat Ball committee and the information security and risk industry for their support over the last 12 years. The money they've raised will help to make sure we can be there for every young person when they need us the most.

“At Childline we’ve become more aware of the dangers of the online world and it’s wonderful to have the support of an industry which is determined to keep the internet safe.”

“This virus affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost. No information contained in any of those documents, videos, or photographs was extracted or transmitted outside of the Police Department.”

The files affected date all the way back to 2009, although the police tried to play down the impact on investigations, claiming that hard copies of all documents and “the vast majority” of videos and photographs are still kept on CD/DVD.

“It is unknown at this time how many total digital copies of documents were lost, as it is also unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” it noted.

NGFW Management Gains Traction

A new study has found that next-generation firewalls (NGFWs) are approaching mass adoption, yet configuration auditing solutions are less prevalent. Use of those tools is translating into significant benefits, however.

According to Forrester Research, users of firewall auditing solutions are three to four times likelier than nonusers to address and implement firewall change requests within 24 hours; and, firms that manually audit their firewalls face more challenges than those that use a solution. To boot, solution users show a marked increase in the number of organizations who say they can respond to a data breach in under an hour as a result of using firewall management tools.

According to the report, in the age of cybercriminals, hacktivists, state-sponsored agents and internal security threats, a zero-trust (ZT) network that assumes neither internal nor external networks can be trusted is the best approach to security. This makes firewalls and next-generation firewalls (NGFWs) critical to architecting a ZT network.

“While NGFWs play a crucial role in creating zero-trust networks, the inherent complexity means that if they are not configured properly or managed effectively, they will not be used to their full potential,” said Paul Calatayud, CTO for FireMon, which sponsored the study. “This study has shown that firewall management tools… help IT departments create more secure environments and save organizations a lot of time.”

He added, “The study shows as enterprises upgrade their firewalls to defend their network perimeters, many fail to modernize how they manage complex firewall rule bases. Nearly half of enterprises that use a next-generation firewall do not use firewall management or configuration auditing tools and that exposes the organization to more risk as well as increases the time it takes to respond to a potentially business-crippling data breach.”